4

I am not able to understand why creating group in active directory as "local" for groupType doesnt work. it throws following exception : 

 System.DirectoryServices.DirectoryServicesCOMException (0x80072035): The server is unwilling to process the request.

while following is the code sample :

        var parentEntry = new DirectoryEntry(ParentContainer);

        var groupToCreate = parentEntry.Children.Add(this.AttributeType + this.Name, "group");

        groupToCreate.Properties["description"].Add(this.Description);

        groupToCreate.Properties["displayName"].Add(Name);

        groupToCreate.Properties["groupType"].Add((int)GroupType.DomainLocalGroup); --> this line throws error. 


        groupToCreate.CommitChanges();

If i change from GroupType.DomainLocalGroup to GroupType.DomainGlobalGroup, everything works fine. Can any body let me know how to get rid of this problem?

enter image description here

Usman
  • 2,742
  • 4
  • 44
  • 82
  • as exception message says _"The server is unwilling to process the request"_ I suspect that AD server is unwilling to process this request due to some security restrictions. Do you check that you have enough permissions to invoke this request? – vasily.sib Jun 28 '19 at 10:51
  • of course, If i replace it with GroupType.DomainGlobalGroup, it works perfectly without any exception. Mroeover, I fresh installed Windows 2016 server image from Microsoft and setup my AD roles. So everything by default. As I said it works perfectly with DomainGlobalGroup. – Usman Jun 28 '19 at 10:55
  • _The server is unwilling to process the request._ Ahh, the error message I love most. Whoever wrote that part of the code should be punished! Did you try to create that group manually in that container, e.g. via ADUC? With exact the same properties? Does that work? Are there any differences in the properties of the local and global group? – Ocaso Protal Jun 28 '19 at 10:59
  • @Ocaso Protal : Thanks for directing me . Yes it si allowing you while creating a group. But when it is already created, the option which you amrked at the time of creation , that get's blurred ( e.g. you created as 'Local' type, this will be blurred ) while other options ( e.g. Global, Universal ) will be enabled. I am talking when you are creating group manually by going Active Directory Gui at windows server – Usman Jun 28 '19 at 11:08
  • Sorry that I can't help you any further, but from my memory (last time I did some AD programming was like 3 years ago) that kind of error means that posibly(!!!!!) either one property is wrong or something is missing. I really hate that error message. Have fun! ;) – Ocaso Protal Jun 28 '19 at 11:13
  • One last try. What happens when you omit the `groupType` line? Local group could be the default. And do you know this: https://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C ? – Ocaso Protal Jun 28 '19 at 11:21
  • So i perform your requested step. By default the group is marked as "Global". It's not local or any other type. and yes i already saw this codeproject stuff. This is also not emphasizing anything regarding GroupType stuff at all. – Usman Jun 28 '19 at 11:27
  • Just to be sure, does `GroupType.DomainLocalGroup` equal 4? – Gabriel Luci Jun 28 '19 at 13:37
  • @Gabriel Luci : yes, that seems to be in hex : &h4 – Usman Jun 28 '19 at 13:49
  • Is your `GroupType` enum defined in a different library? `&H4` is VB.NET notation, but the code you show above is C#. In C# it would be `0x4`. Can you show the code where that is defined? – Gabriel Luci Jun 28 '19 at 13:54
  • yes, i am tryuing to convert to C#. so the above was VB.NET. you are right. but these are following VB.NET based values for these types and they work.. _TYPE_GLOBAL_GROUP = &h2 _TYPE_LOCAL_GROUP = &h4 _TYPE_UNIVERSAL_GROUP = &h8 _TYPE_SECURITY_ENABLED = &h80000000 – Usman Jun 28 '19 at 14:06
  • So is your code that is not working in VB.NET or C#? – Gabriel Luci Jun 28 '19 at 14:09
  • the above constants i provided are written in VB.NET code and they work there absolutely fine. ( i have been informed , so that script is not in my access ). I am trying to create group and trying to set its type as above one of constants in C#. – Usman Jun 28 '19 at 14:11
  • I dont know what are their equivalent values in C#. – Usman Jun 28 '19 at 14:11
  • In your C# project, right click on `GroupType.DomainLocalGroup` in Visual Studio and click "Go to Definition". What does it show you? – Gabriel Luci Jun 28 '19 at 14:15
  • public enum GroupType : uint { UniversalGroup = 0x08, DomainLocalGroup = 0x80000004, GlobalGroup = 0x02, SecurityGroup = 0x80000000 } – Usman Jun 28 '19 at 14:18
  • this is my enum. i defined it like that. all I need to provide these hex values somehow to work. but this hex value 0x80000004 is way too large. – Usman Jun 28 '19 at 14:19

1 Answers1

3

According to Microsoft, this how the group type enum is defined:

  • 1 (0x00000001) Specifies a group that is created by the system.
  • 2 (0x00000002) Specifies a group with global scope.
  • 4 (0x00000004) Specifies a group with domain local scope.
  • 8 (0x00000008) Specifies a group with universal scope.
  • 16 (0x00000010) Specifies an APP_BASIC group for Windows Server Authorization Manager.
  • 32 (0x00000020) Specifies an APP_QUERY group for Windows Server Authorization Manager.
  • 2147483648 (0x80000000) Specifies a security group. If this flag is not set, then the group is a distribution group.

But this is also a flag enum - meaning that values can be combined by adding them together. So yes, 0x80000004 is actually a valid value that means "a domain local security group". (0x4 is a domain local distribution group)

But you do have to cast to an integer (it won't let you set it with a hex value). I'm surprised the exception you got is "The server is unwilling to process the request" because when I do this:

(int) 0x80000004

I get this compiler error:

CS0221: Constant value '2147483652' cannot be converted to a 'int' (use 'unchecked' syntax to override)

That's because the decimal value of 0x80000004 is 2147483652, which does not fit in a 32-bit integer.

But you do need to give it a 32-bit integer (you can't just cast to a long). So you have to follow the suggestion and use unchecked when casting:

unchecked((int) 0x80000004)

Which gives you a decimal value of -2147483644.

So your code should look like this:

groupToCreate.Properties["groupType"].Add(unchecked((int) GroupType.DomainLocalGroup));
Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • thanks for your valueable comments. but i am wondering the difference between Scope and Type. I think wither we are misxing or saying otehr way around. What you said above and talked ..it is Group Scope rather than type. While I can see Group Type properties are : Security , Distribution. – Usman Jun 28 '19 at 15:01
  • have eidted the post. where i put the pic – Usman Jun 28 '19 at 15:02
  • AD Users and Computers splits it into two things, but in AD itself, it's only one attribute (if you modify the "Group Scope", it changes the `groupType` attribute) – Gabriel Luci Jun 28 '19 at 15:05
  • 1
    Thanks for your comments and guidence regarding this. :-) – Usman Jul 01 '19 at 10:00